Skip to main content

Powershell Automation Basics - Part 1

Pentest Notes: PowerShell Automation - Basics

Pentest Notes: PowerShell Automation - Basics

These notes cover PowerShell automation for penetration testing, focusing on practical applications and techniques.

What is PowerShell?

A powerful scripting language and command-line shell built on the .NET framework, heavily integrated with Windows. Ideal for system administration and automation, making it a valuable tool for pentesters.

Why PowerShell for Pentesting?

  • Native to Windows: Pre-installed on most Windows systems.
  • Object-oriented: Allows for complex data manipulation and interaction with APIs.
  • Access to .NET Framework: Enables interaction with a vast library of classes and functions.
  • Remoting capabilities: Execute commands on remote systems.
  • Bypass security restrictions: Can be used to circumvent some security measures if not properly configured.

Basic Syntax

  • Cmdlets: Commands in PowerShell (e.g., Get-Process, Get-Service, Get-ChildItem).
  • Pipes (|): Used to chain cmdlets, passing the output of one cmdlet as input to the next.
  • Objects: PowerShell works with objects, not just text.
  • Variables: Use $ to define variables (e.g., $process = Get-Process).

Key Cmdlets for Pentesting

  • System Information Gathering:
    • Get-WmiObject: Access WMI (Windows Management Instrumentation) for detailed system information (e.g., OS version, hardware details, installed software).
    • Get-ComputerInfo: Provides a summary of computer information.
    • Get-Process: Lists running processes.
    • Get-Service: Lists services.
    • Get-LocalUser: Lists local users.
    • Get-NetIPAddress, Get-NetAdapter: Network information.
  • File System Interaction:
    • Get-ChildItem: Lists files and directories (equivalent to dir or ls).
    • New-Item: Creates files and directories.
    • Remove-Item: Deletes files and directories.
    • Get-Content: Reads file content.
    • Set-Content: Writes content to a file.
  • Networking:
    • Test-NetConnection: Checks network connectivity and port status (equivalent to ping or telnet).
    • Invoke-WebRequest: Sends HTTP requests (useful for web application testing).
  • Security:
    • Get-EventLog: Retrieves event logs (useful for post-exploitation and log analysis).
    • Get-Acl: Retrieves Access Control Lists (ACLs) for files, directories, and other objects.
  • Execution:
    • Invoke-Expression: Executes a string as a PowerShell command (use with caution due to security risks).
    • Start-Process: Starts a new process.
  • PowerShell Remoting:
    • Enabling Remoting: Enable-PSRemoting.
    • Connecting to Remote Systems: Enter-PSSession -ComputerName "hostname/IP".
    • Executing Commands Remotely: Invoke-Command -ComputerName "hostname/IP" -ScriptBlock { "Commands" }.
    • CredSSP: Delegate credentials for multi-hop scenarios.

Exploitation Techniques

  • Bypassing Execution Policies:
    • Set-ExecutionPolicy Bypass -Scope Process: Bypasses execution policy for the current process.
    • Encoding/Obfuscation: Techniques to evade detection by security software.
  • Credential Dumping:
    • Mimikatz: A powerful tool for extracting credentials from memory (often used with PowerShell).
    • PowerShell scripts for extracting credentials from LSASS.
  • Lateral Movement:
    • Using PowerShell Remoting and credential theft to move between systems within a network.
    • Web Shells: Deploying web shells using PowerShell for persistent access.

Defense Evasion

  • Obfuscation: Encoding, string manipulation, and other techniques to make PowerShell scripts harder to analyze.
  • AMS (Antimalware Scan Interface) Bypass: Techniques to avoid detection by AMS.
  • Logging and Monitoring Evasion: Techniques to minimize logging and avoid detection by security monitoring tools.

Resources and Tools

  • PowerSploit: A collection of PowerShell modules for penetration testing.
  • Nishang: Another collection of PowerShell scripts and modules for offensive security.
  • Invoke-Obfuscation: A PowerShell obfuscation framework.
  • Empire: A post-exploitation framework that uses PowerShell agents.
  • PSAttack: PowerShell Attack Framework.

Best Practices

  • Code Review: Always review PowerShell scripts before executing them.
  • Principle of Least Privilege: Use the minimum necessary privileges when executing PowerShell commands.
  • Logging and Monitoring: Implement proper logging and monitoring to detect malicious PowerShell activity.
  • Constrained Language Mode: Restricts PowerShell to a subset of its functionality, limiting the impact of malicious scripts.
  • Application Control: Whitelisting allowed PowerShell scripts and modules.

Example Snippets

  • Get System Info: 
    Get-WmiObject Win32_OperatingSystem | Select-Object Caption, Version, BuildNumber
  • Check Port: 
    Test-NetConnection -ComputerName <IP/Hostname> -Port <Port>
  • Download File: 
    Invoke-WebRequest -Uri <URL> -OutFile <LocalPath>

IX. Conclusion

PowerShell is a powerful tool for penetration testing. Understanding its capabilities and limitations is essential for both offensive and defensive security. These notes provide a starting point for learning PowerShell automation for pentesting. Continuous learning and practice are key to mastering this valuable skill.

This outline provides a more structured and comprehensive set of notes. Remember to practice these techniques in a safe and legal environment.

Comments

Post a Comment

Popular posts from this blog

Thread Modelling Cheatsheet: Know Your Weaknesses Before Attackers Do!

Threat Modelling Part - 1 What is Threat Modelling?      Threat modelling is the process of identifying, assessing, and mitigating potential security threats before they happen. It helps teams anticipate how systems can be attacked and build defences proactively , not reactively. Key Concepts Threat: Something (like a hacker or malware) that could exploit a weakness. Vulnerability: A flaw in your system that can be exploited. Risk: The chance that a threat will exploit a vulnerability to cause damage. Analogy : Threat = Burglar Vulnerability = Unlocked door Risk = Getting robbed because the door is open in a bad neighborhood  Threat Modelling Process (High-Level) Define the Scope – What systems/apps are you evaluating? Identify Assets – What needs protection? (e.g. data, services) Identify Threats – Think like an attacker. What could go wrong? Analyze Vulnerabilities – What weaknesses exist? Prioritize Ri...
Post a Comment
Read more

DNS Pentest - Port 53

Recon Banner Grabbing - Identify DNS Server Versions # Use dig to determine DNS server versions dig version.bind CHAOS TXT @DNS # Alternatively, use nmap script to grab the banner nmap --script dns-nsid <DNS_IP> # Alternatively, use telnet to grab the banner nc -nv -u <DNS_IP> 53 DNS Server Discovery # Using dig dig NS <target-domain> # Using nslookup nslookup -type=NS <target-domain> Enumeration Using DNS enum dnsenum --dnsserver <DNS_IP> --enum -p 0 -s 0 -o subdomains.txt -f <WORDLIST> <DOMAIN> Using dig # Query DNS records dig hackviser.com # Query specific type of DNS records (e.g., A record) dig A hackviser.com # Perform a reverse DNS lookup dig -x <IP_ADDRESS> # Query a specific DNS server dig @<DNS_SERVER_IP> hackviser.com Using nslookup # Perform DNS queries nslookup hackviser.com # Query a specific type of DNS record (e.g., MX record) nslookup -type=MX hackviser.com # Query a specific DNS server nslookup ha...
Post a Comment
Read more

SMTP (Simple Mail Transfer Protocol) Pentesting - Port 25

 SMTP (Simple Mail Transfer Protocol) is a communication protocol for electronic mail transmission.it is used for sending e-mail. POP3 or IMAP are used for receiving e-mail. Default ports are 25 (SMTP), 465 (SMTPS), 587 (SMTPS)   Connect We can use Telnet to connect to the remote server. Here is a command using Telnet: telnet example.com 25 Enumeration Identifying a SMTP Server You can use Nmap to check if there's an Telnet server on a target host like this: nmap -p25,465,587 -sV -Pn target.com Additional Nmap commands for enumeration nmap --script smtp-brute -p 25,465,587 "target-ip" nmap --script smtp-commands -p 25,465,587 "target-ip" nmap --script smtp-enum-users -p 25,465,587 "target-ip" nmap --script smtp-ntlm-info --script-args smtp-ntlm-info.domain=example.com -p 25,465,587 "target-ip" nmap --script smtp-vuln-cve2011-1764 -p 25,465,587 "target-ip" nmap --script smtp-* -p 25,465,587 "target-ip" Enumer...
Post a Comment
Read more